[Dovecot] Dovecot under daemontools
Hi there
I'm having difficulties in getting dovecot to run under daemontools. Also, from a sysadmin perspective, so far, I find dovecot's config rather complex
- I suppose that's what happens when one attempts to appease all authentication methods... anyway, I digress.
System details, to set the scene:
OS: Slackware Linux Linux Kernel: 2.4.29 GCC: 3.2.2 Dovecot version: 1.0.rc6 Dovecot configure options: ./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var --with-checkpassword --without-passwd --without-passwd-file --without-shadow --without-pam --without-bsdauth --without-gssapi --without-ldap --without-vpopmail --with-prefetch-userdb --without-sql --without-pgsql --without-mysql --with-ssl=openssl --without-pop3d --with-storages=maildir --without-deliver MTA: qmail Storage: Maildirs under a single virtual user (vmail) Checkpassword: /var/qmail/bin/qmail-vpoplogin (modified cdb checkpassword) User DB: /var/qmail/users/vpasswd.cdb
/etc/dovecot.conf
base_dir = /var/run/dovecot protocols = imap listen = 127.0.0.1 ssl_disable = yes shutdown_clients = yes log_path = /var/log/dovecot login_dir = /var/run/dovecot/login maildir_copy_with_hardlinks = yes protocol imap {
only require access from webmail on same host
listen = 127.0.0.1:143 } auth default { passdb checkpassword { args = /var/qmail/bin/qmail-vpoplogin } userdb prefetch { }
user who can access user/passwd db
user = auth }
Firstly, I cannot run dovecot as an unprivileged user, as the OS moans that the user doesn't have permission to write to /dev/stderr. I've had a similar issue running Clamav, but a patch to Clamav resolved this? This seems to be related to referencing /dev/stderr directly. Any ideas?
Should I be running dovecot as the virtual mailbox user vmail?
Before I ramble on about what I've tried, could someone explain to me what dovecot actually does, in terms of privilege separation? The online docs are somewhat convoluted. This would help shed light on the solution.
I also noticed the posts re daemontools some time ago, yet they do not include any setup solutions etc - I'd appreciate details from those of you who've succeeded in this regard.
Thanks Dale
* On 10/08/06 16:22 +0200, dale gallagher wrote: | Hi there Hi Dale! | I'm having difficulties in getting dovecot to run under daemontools. http://www.thedjbway.org/imap/dovecot.html | Also, from a sysadmin perspective, so far, I find dovecot's config | rather complex | - I suppose that's what happens when one attempts to appease all | authentication methods... anyway, I digress. There are two plausible solutions to this complexity problem: 1. Use a Windows Server with some click next-> next 2. Quit being Sysadmin ;) Sorry, one more .... courier-imap is easier to configure, no? Kidding time ;) -Wash http://www.netmeister.org/news/learn2quote.html DISCLAIMER: See http://www.wananchi.com/bms/terms.php -- +======================================================================+ |\ _,,,---,,_ | Odhiambo Washington <wash@wananchi.com> Zzz /,`.-'`' -. ;-;;,_ | Wananchi Online Ltd. www.wananchi.com |,4- ) )-,_. ,\ ( `'-'| Tel: +254 20 313985-9 +254 20 313922 '---''(_/--' `-'\_) | GSM: +254 722 743223 +254 733 744121 +======================================================================+ Going to church does not make a person religious, nor does going to school make a person educated, any more than going to a garage makes a person a car.
On Thu, 2006-08-10 at 17:40 +0300, Odhiambo WASHINGTON wrote:
I'm sure you're just kidding, but I kinda have to agree here. There are some improvements that could be made in the system. 1. The whole *BSD poll/kqueue issue. From what configure says, kqueue shouldn't ever show up. 2. POP? It gets compiled in automatically, yet doesn't start. Doesn't bother me, as I'm just using IMAP, but it doesn't seem logical. If POP doesn't start by default, I wouldn't think it would be compiled in by default. 3. Config file. It flows well, but it's freaking huge. 3a Quotas. Where are you told that to enable imap quotas, you need to say: mail_plugins = quota imap_quota Maybe I missed it, but I modified horde to manually get the quotas because I couldn't find or figure out how enable it in dovecot. 4. Config file gets overwritten on make install. Good thing I grew up with Leisure Suit Larry ;)
Sorry, one more .... courier-imap is easier to configure, no?
Yes on FreeBSD, you have IMAP/POP and SSL config files. My suggestion would be to limit the compiled in defaults, or default to nothing and require the user to select what they need and dynamically add those sections to the example config file for each compiled in module. IMAP/POP, auth, and whatever else. And maybe be a little more descriptive on quotas (though I understand this is a new feature - at least for Maildir). Rick
Rick Romero wrote:
No it doesn't. *dovecot-example.conf* gets overwritten on each install; very different thing. It is worthwhile to make a copy of the prior dovecot-example.conf so you can make a diff and see what has changed (this is very useful during the rc period).
John
-- John Peacock Director of Information Research and Technology Rowman & Littlefield Publishing Group 4501 Forbes Boulevard Suite H Lanham, MD 20706 301-459-3366 x.5010 fax 301-429-5748
On Thu, 2006-08-10 at 10:05 -0500, Rick Romero wrote:
I'm not sure what you mean by this.
Well, I think compiling and using by default are different things. Compiling everything by default doesn't really hurt anything, but using all of them by default does.
I can't really think of how this could be improved. I think no matter what change I do people will start complaining.
Yea. For v2.0 I'm planning on splitting it up. I already once did such a split and asked people's suggestions about that (IIRC).
I'm hoping to get http://wiki.dovecot.org/NewIndex into a usable state some day and it should hopefully be easy enough to install Dovecot into a fully usable state. :)
Anyway there already is wiki -> Quota page.
Sorry, one more .... courier-imap is easier to configure, no?
Yes on FreeBSD, you have IMAP/POP and SSL config files.
I think SSL certificates are generated by most Dovecot binary packages, so this is a FreeBSD port-issue I think..
On Thu, 2006-08-10 at 19:03 +0300, Timo Sirainen wrote:
Just to restate myself - I'm really loving dovecot, it just flies :)
Well the way I read configure --help is this:
--with-ioloop=IOLOOP Specify the I/O loop method to use (epoll, kqueue, poll; best for the fastest available; default is poll) --with-notify=IOLOOP Specify the file system notification method to use (dnotify, inotify, kqueue, none; default dnotify if compilable, otherwise none)
If I don't specify anything, I should get 'poll' and 'dnotify' - if
FreeBSD supports it - or 'none', respectively.
On my FreeBSD box, I get kqueue and kqueue.
I don't know or understand what the differences are - but it seems to me if configure followed what was documented, there wouldn't be these kqueue issues on BSD. Changing configure to work as documented, would essentially fix that issue.
The only reason I suggested selective compiling is to help with the config file. It has so much to it, if you were able to reduce the 'unnecessary' bits based on the configure line, it wouldn't be so overwhelming. Look at the last post where the user had about 12 'real' lines to his config file. My modified one (comments and extra stuff left in there) is 1000 lines. I bet for a 'vpopmail/maildir' setup, it could be under 100 and still be descriptive.
I can't really think of how this could be improved. I think no matter what change I do people will start complaining.
I agree :)
I think anyone who already has it setup shouldn't care too much, it would only affect people who haven't had to figure it out yet.
Ahh I see now. I think I skipped 'Quota' and just read Quota/Maildir assuming that would be more 'accurate' instead of just 'specific'.
Actually, I compiled from source. I was inferring that courier was easier to configure because the config files were split up. :)
Rick
On Thu, 2006-08-10 at 18:49 +0200, Geert Hendrickx wrote:
That's definitely a solution, except I compiled from source on my own, I didn't use the port.
Otherwise I'd would let the port maintainer know that kqueue seems to be an issue and it probably should be changed..
Is that you? :)
Geert
On Thu, Aug 10, 2006 at 11:53:07AM -0500, Rick Romero wrote:
Maybe that's why he made it an option? --with-ioloop=poll gave me problems as well.
Is that you? :)
No, I'm the maintainer of the Dovecot package in NetBSD's pkgsrc. :-) Maybe I should consider making it an option there, too.
GeertOn Thu, 2006-08-10 at 11:23 -0500, Rick Romero wrote:
If you didn't use the port, then it really should have used poll. In 1.0rc1 version it could have used kqueue, but I don't see why it would happen with newer rcs.
Notify's description is wrong though. It uses inotify -> kqueue -> dnotify -> none ordering by default.
I think most of the parts that can be compiled off don't take all that much space in the config file. Here's the config file split that I was thinking about, probably missing some of the latest changes:
http://dovecot.org/tmp/newconf/
The dovecot-example.conf should also contain some include-directives for the other files.
On Thu, 2006-08-10 at 20:33 +0300, Timo Sirainen wrote:
Oh, I don't know about anyone else, but I like that. Except for safety.conf (which I believe you need the login_user - maybe that's just me), it's pretty obvious what you really need to fill out to fire up dovecot and check it out.
I think the auth part is probably the worst section. It doesn't look so bad on a webpage, but in a terminal it's daunting.
- Maybe if the options were tagged with 'REQUIRED' or something.
- Or how about specifying 'select one passdb and one userdb' at the beginning of auth default { ?
I think just having passdb and userdb is initially confusing as well, but there's not much you can do about that, other that specifically saying what is required.
There's just so much data, and nothing really jumps out at you ;)
Rick
On Thu, 2006-08-10 at 12:56 -0500, Rick Romero wrote:
There aren't really any required options. :)
Or maybe I could group the most commonly used passdb+userdb combinations into separate auth-xxx.conf files and include them in the main auth.conf. The includes would be commented out, so the files wouldn't have to be. Then there'd be:
auth-pam.conf: passdb pam, userdb passwd (and userdb static?) auth-passwd.conf: passdb passwd, userdb passwd auth-shadow.conf: passdb shadow, userdb passwd auth-bsdauth.conf: passdb bsdauth, userdb passwd auth-passwd-file.conf: passdb passwd-file, userdb passwd-file auth-sql.conf: passdb sql, userdb sql (and userdb prefetch?) auth-ldap.conf: passdb ldap, userdb ldap (and userdb prefetch?) auth-checkpassword.conf: passdb checkpassword, userdb prefetch auth-vpopmail.conf: passdb vpopmail, userdb vpopmail
And the main auth block would also mention something about it being possible to combine the passdbs and userdbs however wanted.
The above grouping would probably also help with that.
I'd almost want to implement this before v1.0, but probably too late. :)
On Thursday 10 August 2006 17:03, Timo Sirainen wrote:
Maybe a good idea to install config's to /etc/dovecot instead of just /etc then - I'm planning to do this for Gentoo's dovecot ebuild as I've got an open bug for including sieve support and that needs an extra config file so it's down directory makes sense.
Thanks
-- Roy Marples <uberlord@gentoo.org> Gentoo/Linux Developer (baselayout, networking)
* On 10/08/06 10:05 -0500, Rick Romero wrote: | On Thu, 2006-08-10 at 17:40 +0300, Odhiambo WASHINGTON wrote: | > * On 10/08/06 16:22 +0200, dale gallagher wrote: | > | Hi there | > | > Hi Dale! | > | > | I'm having difficulties in getting dovecot to run under daemontools. | > | > http://www.thedjbway.org/imap/dovecot.html | > | > | > | Also, from a sysadmin perspective, so far, I find dovecot's config | > | rather complex | > | - I suppose that's what happens when one attempts to appease all | > | authentication methods... anyway, I digress. | > | > There are two plausible solutions to this complexity problem: | > | > 1. Use a Windows Server with some click next-> next | > 2. Quit being Sysadmin | > | > ;) | | I'm sure you're just kidding, but I kinda have to agree here. There are | some improvements that could be made in the system. | | 1. The whole *BSD poll/kqueue issue. From what configure says, kqueue | shouldn't ever show up. It was problematic, so I simply disabled the compilation for KQUEUE using `make config` in /usr/ports/mail/dovecot (Yes, I use FreeBSD). | 2. POP? It gets compiled in automatically, yet doesn't start. That is not true, or perhaps you disabled it in dovecot.conf! It starts in mine. I have about 20 boxes running dovecot. | Doesn't bother me, as I'm just using IMAP, but it doesn't seem logical. Sure. What is the error though? | If POP doesn't start by default, I wouldn't think it would be compiled in by | default. I reserve my comment on that, since in my setups, I need both. I migrated from courier-imap to dovecot because I got convinced it's better. Timo is always here, and answers questions like the problem is his. Thanks Timo. | 3. Config file. It flows well, but it's freaking huge. Only when you get into the complicated details. In my case: ksm# egrep -v '^[[:space:]]*(#|$)' /usr/local/etc/dovecot.conf | wc -l 39 So, only 39 lines. | 3a Quotas. Where are you told that to enable imap quotas, you need to | say: mail_plugins = quota imap_quota | Maybe I missed it, but I modified horde to manually get the quotas | because I couldn't find or figure out how enable it in dovecot. I implement quota via the MTA. Pretty easy with Exim. You should think about using MTA to control quota if dovecot is complicated. Just an advise. | 4. Config file gets overwritten on make install. Good thing I grew up | with Leisure Suit Larry ;) You have lied! But again what is your platform and how do you upgrade? Perhaps the FreeBSD ports have made me so stupid. They never overwrite any config files... | > Sorry, one more .... courier-imap is easier to configure, no? | | Yes on FreeBSD, you have IMAP/POP and SSL config files. | | My suggestion would be to limit the compiled in defaults, or default to | nothing and require the user to select what they need and dynamically | add those sections to the example config file for each compiled in | module. IMAP/POP, auth, and whatever else. And maybe be a little | more descriptive on quotas (though I understand this is a new feature - | at least for Maildir). These are documented in the Wiki, no? You just have to spare time when you want to implement a feature, and understand how dovecot implements it. The architecture differs between these apps, you know, just as the authors differ. -Wash http://www.netmeister.org/news/learn2quote.html DISCLAIMER: See http://www.wananchi.com/bms/terms.php -- +======================================================================+ |\ _,,,---,,_ | Odhiambo Washington <wash@wananchi.com> Zzz /,`.-'`' -. ;-;;,_ | Wananchi Online Ltd. www.wananchi.com |,4- ) )-,_. ,\ ( `'-'| Tel: +254 20 313985-9 +254 20 313922 '---''(_/--' `-'\_) | GSM: +254 722 743223 +254 733 744121 +======================================================================+ Time flies like an arrow, but fruit flies like a banana.
On 10/08/06, Odhiambo WASHINGTON <odhiambo.raburu@wananchi.com> wrote:
Jokes aside, I haven't touched MS for years, for good reason. I'm not into point-and-click, but really, computing should become simpler over time, not more complex and the simpler systems are inevitably better - http://en.wikipedia.org/wiki/Ockham%27s_razor
Currently using BincIMAP in production which is trivial to setup (I know, it was specifically designed to run in the qmail + checkpassword + daemontools environment) - however, it doesn't implement SORT.
All my services run under daemontools, so I have a fair amount of experience there.
dale gallagher wrote:
...snip...
log_path = /var/log/dovecot ...snip...
You aren't using the correct log_path; it should be:
log_path = /dev/stderr
which *can* be written to by an unprivileged user.
Google is your friend:
http://www.thedjbway.org/imap/dovecot.htmlI use the run file listed on that page without change and it works just fine.
John
-- John Peacock Director of Information Research and Technology Rowman & Littlefield Publishing Group 4501 Forbes Boulevard Suite H Lanham, MD 20706 301-459-3366 x.5010 fax 301-429-5748
Hi John
Thanks for responding. I've progressed somewhat - details follow.
On 10/08/06, John Peacock <jpeacock@rowman.com> wrote:
You aren't using the correct log_path; it should be:
log_path = /dev/stderr
I did have this option set, sorry - I pasted the previous config. The log process appears to be working since I changed a few other settings.
Google is your friend:
http://www.thedjbway.org/imap/dovecot.html
This is the exact URL which I'd started from before I even started building Dovecot.
$ cat /service/dovecot-imapd/run
#!/bin/sh
exec 2>&1
echo "Starting dovecot IMAP service"
exec envuidgid dovecot
/usr/sbin/dovecot
-F
-c /etc/dovecot.conf
$ cat /service/dovecot-imapd/log/run #!/bin/sh exec setuidgid log multilog t /var/log/dovecot-imapd
I'm now getting the following error in the logs - any idea? The error isn't terribly informative.
Fatal: sigaction(SIGRTMIN) failed: Invalid argument
---- My revised /etc/dovecot.conf is ----
base_dir = /var/run/dovecot/
protocols = imap protocol imap { listen = 127.0.0.1:143143 }
shutdown_clients = yes
log_path = /dev/stderr log_timestamp =
ssl_disable = yes
login_dir = /var/run/dovecot/login login_chroot = yes login_user = dovecot login_greeting = Dovecot ready.
maildir_copy_with_hardlinks = yes
auth default { mechanisms = plain passdb checkpassword { args = /var/qmail/bin/qmail-vauth } userdb prefetch { } user = auth }
---- Some more detail regarding permissions (if this is pertinent) ----
$ id dovecot uid=1016(dovecot) gid=211(dovecot) groups=211(dovecot)
$ id auth uid=1017(auth) gid=212(auth) groups=212(auth)
$ ls -la /var/qmail/users/ | grep vpasswd -rw-r----- 1 root auth 2814 Aug 3 11:03 vpasswd -rw-r----- 1 root auth 5621 Aug 3 11:04 vpasswd.cdb
$ ls -la /var/log | grep dove drwxr-x--- 2 log log 4096 Aug 10 14:51 dovecot-imapd
$ ls -la /var/qmail/bin | grep vauth -rws--s--x 1 root auth 10320 May 11 2005 qmail-vauth
dale gallagher wrote:
That would seem to suggest that you have a broken O/S. You may want to go with a more modern (i.e. 2.6.x kernel) installation.
John
-- John Peacock Director of Information Research and Technology Rowman & Littlefield Publishing Group 4501 Forbes Boulevard Suite H Lanham, MD 20706 301-459-3366 x.5010 fax 301-429-5748
I tried building with --with-ioloop=none alone, but that resulted in the same error, namely: Fatal: sigaction(SIGRTMIN) failed: Invalid argument
Then, I configured with both --with-ioloop=none and --with-notify=none and the original error has gone, but a new one has reared its head:
dovecot: Info: Dovecot v1.0.rc6 starting up dovecot: Error: Login process died too early - shutting down dovecot: Error: child 17320 (login) killed with signal 11 dovecot: Error: child 17319 (login) killed with signal 11
Where should I look for problems now? Could this be with my checkpassword binary?
On 10/08/06, dale gallagher wrote:
I've tried various settings for the dovecot (login) user, without any change in the above errors.
Attempt 1: HOME=/bin/true, SHELL=/bin/true Attempt 2: HOME=/var/log/dovecot/login, SHELL=/bin/sh
Am I barking up the wrong tree with trying to tweak the login user's env?
Any ideas?
On Thu, 2006-08-10 at 18:37 +0200, dale gallagher wrote:
This is because I once again left something broken. ssl_disable=yes causes crashes. Fix here: http://dovecot.org/list/dovecot-cvs/2006-August/006209.html
Or wait for 1.0rc7 which I'll release in a few hours.
participants (9)
-
dale gallagher
-
Geert Hendrickx
-
Jakob Hirsch
-
John Peacock
-
Odhiambo WASHINGTON
-
Odhiambo WASHINGTON
-
Rick Romero
-
Roy Marples
-
Timo Sirainen